Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Js.yamanner - Spreads Via Yahoo's Free Email Service


  • Please log in to reply
12 replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:04:06 AM

Posted 12 June 2006 - 08:47 AM

JS.Yamanner@m is a worm that is written in JavaScript. It exploits a vulnerability in the Yahoo email service to send a copy of itself to the user's Yahoo email contacts.

EMAIL to AVOID:
From: Varies
Subject: New Graphic Site
Message body: Note: forwarded message attached.


JS.Yamanner - Spreads via Yahoo's free email service
http://secunia.com/virus_information/29782/js.yamanner/
http://www.sarc.com/avcenter/venc/data/js.yamanner@m.html

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:06 AM

Posted 12 June 2006 - 11:41 AM

More info: Yahoo Mail Worm Harvesting Addresses
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Elendil

Elendil

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The US
  • Local time:04:06 AM

Posted 12 June 2006 - 12:54 PM

Here's PCWorld's info:

http://www.pcworld.com/resource/article/0,...,RSS,RSS,00.asp

Thankfully, I use Gmail! :thumbsup:
Stanford '14
B.S. Candidate | Computer Science

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:06 AM

Posted 12 June 2006 - 09:12 PM

Last Updated: 2006-06-12 21:19:00

...To activate the mass-mailer it is sufficient to open the mail message without clicking on the attachment and it will scour your address list and send itself as an attachment (forwarded message) to everyone on it. It searches for both @yahoo.com and @yahoogroups.com e-mail addresses...There is currently no trivial fix for Yahoo! mail as turning off Javascript on the browser will prevent you from reading your e-mail... Yahoo! is aware of the issue and is working on a fix, in their words "Yahoo! Mail is blocking most of these messages, and is working on a fix."

http://isc.sans.org/diary.php?compare=1&storyid=1398

Edit: To clarify, the Yamanner worm does not send itself as an attachment, it resides inside the e-mail body. The worm activates automatically by just opening an infected e-mail message with Internet Explorer. It uses a 0-day vulnerability in Yahoo! webmail system.

Edited by quietman7, 13 June 2006 - 10:24 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:06 AM

Posted 13 June 2006 - 10:30 AM

Just received this from our network Administrator (no link was provided).

Yahoo says that a solution has automatically been distributed to all Yahoo mail customers, but Symantec's Security Response site suggests that Yahoo mail users might best protect themselves by upgrading to the latest test version of the recently upgraded Yahoo Mail software. "The worm cannot run on the newest version of Yahoo Mail Beta", Symantec's site says.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 NCRedNeckK

NCRedNeckK

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 13 June 2006 - 12:49 PM

So here is the question that I have looked all over for, but have not been able to find a direct answer to:

Does this worm only run when an infected e-mail is opened?

Or, does something get installed locally on the PC that will cause all future e-mails to be infected?

One other one: The solution that Yahoo sent out, was it sent via e-mail? If so, and one deleted it, is there anyway to get a copy?

Thanks for any help.

#7 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:06 AM

Posted 13 June 2006 - 12:57 PM

The message will have a From" address of av3@yahoo.com and a Subject: of "New Graphic Site."

It is recommended that you block the address "av3@yahoo.com"
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:06 AM

Posted 13 June 2006 - 12:58 PM

The worm does not send itself as an attachment, it resides inside the e-mail body. The worm activates automatically by just opening an infected e-mail message with Internet Explorer.

Since the solution was automatically distributed, I would say yes by email. I will check around some more to see where else its available and let you know if I find anything.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 NCRedNeckK

NCRedNeckK

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 13 June 2006 - 01:28 PM

I understand that it is in the e-mail itself, and not an attachment. When the Javascript runs, is anything installed locally?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:06 AM

Posted 13 June 2006 - 01:51 PM

There are no other related malware files installed if that's what your asking about. When the script runs it sends a copy of itself to email addresses gathered from the Yahoo email folders. Harvested addresses from the address book are then submitted to a remote URL, which is likely to be used for a spam database...technical details here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 NCRedNeckK

NCRedNeckK

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 13 June 2006 - 03:09 PM

Thanks Quietman, that's exactly what I was asking about. I find it interesting that Symantec has you turn system restore off and run a full system scan. It looks like that is a waste of time.

Edited by NCRedNeckK, 13 June 2006 - 03:10 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:06 AM

Posted 14 June 2006 - 12:52 PM

Yahoo quickly steps on e-mail worm

..."Once we were aware of it we put a solution in place," said Kelly Podboy, a spokeswoman for the Mountain View, California, company.

"It has been resolved. We don't know how many users were impacted, but we believe it was a very small fraction."...


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Wysi Free

Wysi Free

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:04:06 AM

Posted 16 July 2008 - 07:52 PM

Today I got an email from myself saying that I had a site dealing with electronics. The email went to everyone in my address book.

The original Yamanner seemed to target only yahoo sites with hope of further spreading whatever it is they are spreading. This one targeted everyone in my address book. I did an immediate scan -- several different ones and my XP came up clean on all counts. Yamanner was said to be a script that once the email was opened would "infect" the Yahoo account.

The subject line was "HI" and there were some links in the email. Comments on the original were that they had to do with a graphics site. I don't t remember seeing anything like that and generally just zap things that look strange before opening. I have reported this to Yahoo but no reply yet.

Anyone else seen this or am I special?

:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users